A practical guide to securing your IT
Where do I start?
There are so many places you could start to secure your IT networks and devices that it can become very confusing to the point where nothing gets done. You could start by securing your PCs and laptops or you could start with your servers, wireless network, internet access, but what about your smartphones and tablets? It is easy to see why IT security can be so daunting and is so often swept under the carpet in the vain belief that “it will never happen to me”.
The human factor
We hear so much about IT security that we could all be forgiven for thinking that it is just a technical matter involving a range of technical solutions including anti malware and firewalls. But doing this we could be missing a fundamental element in our effort to keep our organisation secure – people.
The majority of security breaches cannot be prevented by security hardware and software but they can be prevented by education. You can train your team to be diligent and to question those innocent looking emails claiming to be from official sources. If just one person in your team clicks on a link in one innocent looking email and your world could be thrown into disarray with all your sensitive data in the hands of cybercriminals or your entire file system encrypted with no means of recovery.
Some time ago there may have been clues in these emails that gave some indication that there was something wrong. Maybe some spelling mistakes or acronyms in the wrong order. Cybercriminals are combining forces and becoming much more professional in their approach. They operate as an efficient business with teams of frontline staff sending out email traps on a grand scale backed up by a professional call centre handling ransom demands.
CEO Fraud and Phishing are a real risk, every hour of the day, every day of the week. If a member of your team receives an email from the CEO requesting a transfer of £20,000 to a bank account they must be empowered to stop and ask if this is a genuine request. If they receive an email from HMRC notifying them of a tax refund they must resist the temptation to click on the link or to provide bank account details to access the refund. If they receive an email from a supplier with an attachment that appears to be an invoice they must stop and think before they open the attachment.
Some of these examples are easier to spot than others but this is the attention to detail required to minimise the risk of a one of these attacks being successful. Email is very insecure and it is very easy to make an email appear to come from someone you know. In the majority of cases I know of where a team member has clicked on a link they had some doubt before they took action. The same applies to the cases where a member of staff has transferred funds to a bank account believing it to be an instruction from their CEO – they had some doubt before they took action. This highlights a fact that email was seen as a trusted form of communication to the point where people took action – sometimes with dire consequences – even though there was some doubt as to the validity of the request.
I have used email examples above but these attempts to compromise our systems may also appear in Social Media, text messages and phone calls. Never before have we been under attack from so many cybercriminals trying to access our data to monetise it by selling it on or holding it to ransom. Education, vigilance and communication are essential if we are to keep our organisations (and ourselves) safe.
I started with this aspect of IT security because the people in our organisations can so easily bypass everything else that follows exposing our organisations to a world of organised crime. I will provide some links to detailed sources of information at the end of this article but if you are unsure about anything regarding your IT security please contact us and apply for a Tech Surgery detailing your requirements.
Now we can progress to take a look at some of the technical IT aspects starting with the user accounts. There are some basic levels of security that need to maintained in order to keep your network and devices safe and to reduce your exposure to cybercriminals. I will look at the data we are trying to protect later in this article. In this section we will look at usernames, passwords and policies.
Every user must have a dedicated and unique username that they are responsible for. They must not allow anyone else to use their user account and must never share their password. There may be specific systems or devices requiring a generic username and password, for example: admin access to an internet router or server (see ‘Access Rights’ below).
User accounts that are no longer required, for example, when people leave the organisation should be deleted. Ideally this deletion process will be part of a ‘Leavers Policy’ that is actioned whenever someone leaves the organisation. Remember, when you have a wireless network you do not have to be inside your building to gain access to your network and systems. You cannot be too careful!
Passwords are obviously vitally important but often the most important passwords are missed and left set to their default values leaving the door wide open to cybercriminals. Always make sure passwords to common network connected devices are changed from their default values to strong, unique passwords.
Every member of your organisation must be encouraged to use strong unique passwords for their work system accounts and they should change them regularly. Whoever is responsible for your common network devices such as servers, switches, routers and wireless access points needs to maintain tight control on these devices and ensure they have strong unique passwords and to ensure they are changed regularly.
It is wise to work on a ‘need to know’ basis when it comes to allowing access to critical business information and common network devices such as servers and routers. If you have to give someone temporary access to servers or routers (such as a vendor) it is advisable to change the password as soon as they have finished. The exception to this would be when the vendor is managing your systems and devices on your behalf, in which case the third-party service organisation must adopt secure working practices to ensure your organisation remains safe.
This relates to preventing unauthorised people from accessing our network. In addition to preventing unauthorised access to our data, we also want to protect our users’ devices while they are using the organisation’s network. If you are a small charity your network equipment may all be in one box comprising the internet router, firewall, switch and wireless network. The internet firewall is the main defence against attacks coming in from the internet. Make sure your firewall is always operating at the latest software level and always replace the default password with a strong unique password and change it regularly.
If you have a wireless network any default configuration needs to be removed. User access should be encrypted using WPA2-PSK (AES) as a minimum. Use a strong pass-phrase for encrypted wireless access and change it regularly, especially if you give guests and contractors access to your network. If you have regular occasional users requiring wireless access consider having a separate guest network and restrict access to the internet to prevent guest users accessing internal systems.
Cabling can easily be overlooked when protecting the network. Wireless networks are often cited as being significantly less secure than wired networks. However, many organisations have limited cabling documentation or cable management. Leaving cables patched into network equipment (e.g. internet router) with no devices on the end are a security liability. Someone could gain access to your office under some pretence, and connect a wireless access point to your wired network. From that point on the cybercriminal will have free access to your network from the street or a vehicle parked nearby. It really is that easy. Always remove patch cables from spare data outlets to reduce the risk of this type of attack.
It is important to remember that network security is multi-layered. If any device on the network is compromised it becomes a potential gateway into everything else connected to the network. As mentioned above, if someone clicks on a link in an email and that link triggers a malware download from a remote site the firewall will not protect you.
User Device Protection
User device protection can be the most challenging. Before we do anything we first need to know what it is we are securing. At the earliest opportunity it is advisable to carry out a user device audit to gain an understanding as to what devices your colleagues are using to complete their daily tasks. Please refer to our previous article ‘How to Take Control of Your IT’ for guidance on documenting user devices.
When you have all the users’ devices documented you then need to think about what you need to do to secure them. There are many aspects to this and the type of device will have a bearing on what you can and should do to secure it as effectively as possible. I have included some pointers here but this is far from exhaustive.
If there is a personal firewall options available for your device you may want to consider this. It is a popular misconception that certain devices or operating systems are inherently secure but that is not the reality. Some devices and operating systems are inherently more secure than others but that does not mean they are totally secure. It is also a matter of economies of scale for cybercriminals as they will target the masses rather than the minority. So the most common devices and operating systems receive the lion’s share of their attention. But, that doesn’t mean the minority are safe from attack.
Anti-malware and anti-virus
Anti-malware and anti-malware is essential for some devices. It is important to ensure that you are sourcing anti-malware and anti-virus software from reputable organisations. There are many scams on the internet advertising security and performance improvement software that at best installs adware and at worst installs malware.
Once you have installed anti-malware and/or anti-virus software it is essential to keep it up to date with the latest signatures. New malware and viruses are discovered on a daily basis and software upgrades are updated at a similar rate. Even if you do keep everything up to date there is a still a risk of being infected by a ‘zero day exploit’. Zero day exploits are vulnerabilities in operating systems or applications that are as yet unknown to the vendor. As with all other aspects of IT security we are implementing anti-malware and/or anti-virus software and keeping up to date to reduce the risk to our organisation to a minimum.
Operating systems suffer with vulnerabilities and those vulnerabilities are being discovered at an alarming rate, sometimes by the vendors but more often by hackers. Our best defence against these vulnerabilities is to keep our operating systems up to date. This applies to desk tops, laptops, tablets, smart phones, routers, printers and any other device connected to our network. They are all potential time bombs if their operating system has known vulnerabilities.
Applications can also suffer with vulnerabilities that can expose our organisation to cybercriminals. It is important to update applications when vendors release their software updates, especially when they have documented security issues.
Every application you have on your device increases the risk of vulnerabilities. Any software for applications that are surplus to requirements should be removed. It is very easy to lose sight of an application that you rarely use. The vendor may announce a vulnerability that is completely missed because you never use the application. This is an unnecessary risk that is easy to avoid by removing unwanted software.
Unused hardware is also a liability. If you are not using it and it is surplus to requirements it is advisable to remove it.
Wherever possible, disable your device’s ability to auto run software from removable media.
Data is what this is all about. We are going to these lengths to protect our data. But do we want to protect all our data to the same extent? The answer for most of us is, no. The most important question we must ask ourselves is. “What am I trying to protect?” When we know what we are trying to protect we can assess what we need to do to protect it. This is over and above all the measures mentioned above. This is about the data and potentially the ‘crown jewels’ of your organisation. We must ask what this data – or loss of it – means to us and what it means to others such as our service users, the authorities, the government, etc. This again is not an exhaustive set of instructions as the specifics will be different for every organisation based on the nature of the charity and the data they are holding. You can find more information via the links at the end of this article.
Data rarely stays in one location, in most cases as it is accessed it is copied to the memory of the user’s device in another location, they may even save it to their local drive. This raises a number of questions regarding your data. Where is your data at rest? Where is it stored, permanently and temporarily? Who has access to your data? Where do they have access to your data and on what devices? This may be in the office, at home, in hotels and coffee shops or literally on the road. What path does your data take in travelling from storage to your users’ devices?
The nature of your data will determine how important these questions are. For example, if you are dealing with very sensitive data you are likely to need a strict policy on where the data can be accessed and the devices it can be accessed from. You may decide you sensitive data may only be accessed from certain devices in a controlled room in the office to remove the risk of unauthorised people getting sight of the data over someone’s shoulder.
Backups are vital for any organisation whether you have one device or thousands of devices. You never know when a disk is going to fail, but we do know statistically we are likely to experience a disk failure. Traditional disk drives have moving parts that can wear out, power supplies can catch fire and toast the disk drive in the process. Even solid state drives can fail due to external influences such as power surges, radio frequency surges and possibly even sun spot activity. Data loss isn’t always the result of nefarious activity.
The most important questions regarding backups are. When do you back your data up? Where do your backups reside? How do you know your backups are good? This may be handled by an automated process as part of your IT systems but for smaller charities it may be manual process in which case a person is responsible for running the backup process. Having ensured you are taking regular backups how do you verify the backup is good and accessible? Backups need to be checked to ensure they are accessible in times of need.
You also need to consider how many backups you hold and where. You need to consider the possibility of losing access to your office, may be as a result of a fire, flood or other disaster, natural or otherwise. If you are maintaining multiple backups you need to have strict controls to ensure these backups remain in sync.
Backups are your lifeline in the event of a security incident. You need to be confident that your backups are secure and you have at least one offline backup. The offline backup could be made daily, weekly, or at whatever frequency you deem appropriate for your charity, the important factor is that once the backup is complete it is physically disconnected from the network to ensure it cannot be affected by a virus or malware infection on your network.
Many charities are making use of Cloud applications and storage to reduce the risk of having to run and secure servers on their premises. If your data is in the Cloud you are still responsible for it, even though some aspects of access and maintenance may be out of your control.
Some organisations believe that if their data is stored in the Cloud it is safe and backed up automatically. If you are working with a reputable Cloud provider it is probably reasonable to assume your data is safer. But, if your data also appears on a number of users’ hard drives and one of those devices is hit by crypto type malware your Cloud file system could also be locked and become inaccessible. Malware is not the only threat. The fact that a number of users have access to this data means you are also at their mercy. If one of your team members deletes or moves a number of folders out of the Cloud storage file system they may not be there when you next try to access them. This is not theory, I know of several real-life examples of this.
Cloud storage does enable you to have an immediate backup of your data but in the event of a major event such as a malware infection or a user accidentally deleting your files you may still lose data. Most Cloud providers have a facility to reinstate data that has been lost but this process may take some time. You should also consider that your Cloud provider may also be hit by a disaster preventing you from gaining access to your data. You need to have a plan B! An offline backup could well be your lifeline in the event of a number of disasters.
My data has been accessed by cybercriminals
This could still happen even if you take every precaution available. As I mentioned at the beginning of this article, one user clicking on an innocent looking link in an email is all it takes to be infiltrated. As with any disaster risk it is important to be prepared. Have rehearsed plan ready to put into action in the event of your data being compromised.
You need to think about who will be in charge throughout the incident. If you are made aware of a breech at 1am on a Sunday morning, who will you call in your organisation? What external organisations will you inform? Who will handle your (pre-prepared) press release and manage any press enquiries? What is your recovery strategy? The nature of the data breached will determine the intensity of this process.
The only method we all have available to us to totally secure our systems is to power them all off and lock them in an ultra-secure repository. All the effort we go through to secure our systems is to reduce the risks to our organisation. We cannot hope to remove it completely.
It may help if you can imagine yourself in the mind of the cybercriminals. How much effort would you go through to gain access to your data? What is the prize? What is of real value? Having gained access to the data, what more do they have to do to monetise the data? Names, addresses and bank account details are obviously a bigger prize for cybercriminals than a list of email addresses. You need to provide a reasonable and appropriate level of security for your systems and data to make it difficult for cybercriminals to infiltrate your systems or encourage them to focus their effort on another organisation.
On a positive note, the UK Government are keen to help us all to operate safe and secure systems. Cyber Essentials is a great scheme with some valuable information to help you to secure your organisation. The National Cyber Security Centre is another great source of information and it is there for us all as their vision is to help make the UK the safest place to live and do business online. ActionFraud provides a central point of contact for information about fraud and cybercrime so if you do fall victim to cybercriminals you can report it here.
If you are a charity and you need help with securing your systems you can place a request for a CITA Tech Surgery. In the meantime, there are a number of links below where you can find more information on all of the aspects discussed above.
Links to more information
To assess your cyber security and valuable information on how to secure your organisation…
National Cyber Security Centre
Interesting cyber security information in support of CyberEssentials…
Keep up to date with cyber threats and report any incidents to help the police in their investigations into cybercrime…
BBC News – Three words to set alarm bells off for every firm
Interesting article about CEO Fraud…
CITA article – How to Take Control of Your IT
Provides guidance on auditing your IT users and equipment, a basic requirement for securing your IT…